How to create a report of all forwarders per index...

athorat · ‎06-16-2015

How do I get the number of forwarders per index/source type along with the status (running/stopped) and the amount of data being pushed to that index per day?
Say list of all forwarders with status and the amount of data indexed for index=DNS sourcetype=PROD:DNS

lguinn2 · ‎06-16-2015

Here is an answer that may help you get started

Listing forwarders

However, there is no way to find out the current status of the forwarder (running/stopped). You can see when a forwarder last sent data, and if it hasn't sent any during the last hour, you could flag it. That's a reasonable proxy for "down".

This doesn't list the data by index or source, just by forwarder. You should take a look at the built-in license usage report on the server that is acting as your license master. Finally, look at the Distributed Management Console (you can get there from the Settings drop-down) - it also has some license usage reports.

Finally, you could install the Deployment Monitor app. I've found it a good source for searches in the past. Usually I just take the searches that seem useful and modify them, then put them in my own app and uninstall the Deployment monitor.

Watch out for the metrics.log - it is a good source for a lot of information, but it only logs the top 10 sources/sourcetypes/hosts for each time period. So although it gives some great information, it won't be complete.

How to create a report of all forwarders per index/sourcetype, their status (running/stopped), and amount of data pushed to that index per day?

Enterprise Security Content Updates (ESCU) - New Releases

Thought Leaders are Validating Your Hard Work and Training Rigor

.conf23 Registration is Now Open!